I think it's rather this:
3. People were already sitting on vulnerability reports from their own tools and threw them over the wall.
They were worried about getting scooped. They had to consider Mythos' alleged capabilities as a tool, and Project Glasswing potentially establishing a well-run disclosure and remediation process. Both could devalue preexisting results.